[原创 ]iOS Dualboot 手動修改-iOS安全-看雪-安全社区|安全招聘|kanxue.com

最新回复 (8)
djpvd 雪币： 320 活跃值： (104) 能力值： (RANK：180 ) 在线值：发帖 133 回帖 447 粉丝 2 关注私信	djpvd 4 2 楼二 Patching bootchain 1. iBSS Patch 解密 iBSS xpwntool 輸入輸出 -iv <IV> -k <Key> IDA Pro 載入查看 ROM:00000044 LDR R1, =0x34000000 0x34000000 為載入基址 Edit > Segments > Rebase program...設定基址為 0x34000000 搜尋字串 iBSS ready, asking for DFU... 來到這裡 ROM:340008F2 LDR R0, =aIbssReadyAskin ; "iBSS ready, asking for DFU...\n" ROM:340008F4 BL sub_3400C850 ROM:340008F8 BL sub_34007A18 ROM:340008FC MOVW R10, #0 ROM:34000900 ADD.W R11, SP, #0x14 ROM:34000904 MOV.W R8, #1 ROM:34000908 MOVT.W R10, #0x8FE0 ; 改為 #0x7FD0 ROM:3400090C ROM:3400090C loc_3400090C ROM:3400090C MOVS R0, #1 ROM:3400090E BL sub_340098B4 ROM:34000912 MOV.W R0, #0x200000 ROM:34000916 MOV.W R1, #0x200000 ROM:3400091A STR R0, [SP,#0x14] ROM:3400091C MOV R0, R10 ROM:3400091E STR.W R10, [SP,#0x18] ROM:34000922 BL sub_3400B12C ; 改為NOP ROM:34000926 MOV R6, R0 ROM:34000928 CMP R6, #0 ROM:3400092A BLT loc_3400090C ; 改為NOP iPhone 4S 改為 #0xBFD0 0x908 ?B F? D0 ?? 其他改為 #0x7FD0 0x908 ?7 F? D0 ?? iOS 8 則搜尋 HEX 00 00 E0 8F (0x8FE00000) 改為與 multi_kloader 批配的 iBEC Remap addresses 0x7FD00000 搜尋字串 Apple Mobile Device (DFU Mode) x 選擇第一項目來到這裡 ROM:3400A638 sub_3400A638 ROM:3400A638 PUSH {R4,R7,LR} ROM:3400A63A LDR R4, =0x34012D34 ROM:3400A63C MOVS R0, #0 ROM:3400A63E ADD R7, SP, #4 ROM:3400A640 LDRB R1, [R4] ROM:3400A642 CMP R1, #0 ROM:3400A644 IT NE ROM:3400A646 POPNE {R4,R7,PC} ROM:3400A648 LDR R0, =aAppleMobileDev ; "Apple Mobile Device (DFU Mode)" ROM:3400A64A BL sub_3400A6B8 sub_3400A638 x 返回 ROM:3400B12C sub_3400B12C ROM:3400B12C PUSH {R4-R7,LR} ROM:3400B12E LDR R5, =0x34012EF0 ROM:3400B130 ADD R7, SP, #0xC ROM:3400B132 STRD.W R0, R1, [R5] ROM:3400B136 BL sub_3400A638 ; 返回到此 sub_3400B12C x 返回 ROM:340008F2 LDR R0, =aIbssReadyAskin ; "iBSS ready, asking for DFU...\n" ROM:340008F4 BL sub_3400C850 ROM:340008F8 BL sub_34007A18 ROM:340008FC MOVW R10, #0 ROM:34000900 ADD.W R11, SP, #0x14 ROM:34000904 MOV.W R8, #1 ROM:34000908 MOVT.W R10, #0x8FE0 ; 改為 #0xBFD0 ROM:3400090C ROM:3400090C loc_3400090C ROM:3400090C MOVS R0, #1 ROM:3400090E BL sub_340098B4 ROM:34000912 MOV.W R0, #0x200000 ROM:34000916 MOV.W R1, #0x200000 ROM:3400091A STR R0, [SP,#0x14] ROM:3400091C MOV R0, R10 ROM:3400091E STR.W R10, [SP,#0x18] ROM:34000922 BL sub_3400B12C ; 返回到此改為NOP ROM:34000926 MOV R6, R0 ROM:34000928 CMP R6, #0 ROM:3400092A BLT loc_3400090C ; BLT loop 改為NOP 0x922 00 BF 00 BF 0x92A 00 BF 搜尋 TEXT "CMP R1, #0x41 ; 'A'" 代碼開頭 x 返回 ROM:340065E8 IT NE ROM:340065EA ORRNE.W R6, R6, #4 ROM:340065EE ADD R3, SP, #0xC8+var_90 ROM:340065F0 MOV R1, R5 ROM:340065F2 MOV R2, R6 ROM:340065F4 BL sub_34006190 ; 來到這裡改為 MOVS R0, #0 STR R0, [R3] ROM:340065F8 MOVS R1, #0 ROM:340065FA CMP R0, #0 0x65F4 00 20 18 60 然後往上看 ROM:3400657C BL sub_340060E4 ; 這裡進入 ROM:34006580 MOV.W R10, #0xFFFFFFFF ROM:34006584 CMP R0, #0 ROM:34006586 BNE.W loc_3400679E ROM:3400658A LDR R0, [SP,#0xC8+var_84] ROM:3400658C MOVS R5, #0 ROM:3400658E CMP R6, #0 ROM:34006590 LDR R0, [R0] ROM:34006592 LDR R0, [R0,#0x10] ROM:34006594 STR R0, [SP,#0xC8+var_9C] ROM:34006596 BEQ loc_340065B0 x 2 ROM:34006598 ROM:34006598 loc_34006598 ROM:34006598 MOV.W R10, #0xFFFFFFFF ROM:3400659C CMP R5, R6 ROM:3400659E BCS.W loc_3400679E ROM:340065A2 LDR.W R0, [R8,R5,LSL#2] ROM:340065A6 ADDS R5, #1 ROM:340065A8 LDR R1, [SP,#0xC8+var_9C] ROM:340065AA CMP R0, R1 ROM:340065AC BNE loc_34006598 ROM:340065AE LDR R5, [SP,#0xC8+var_9C] ROM:340065B0 ROM:340065B0 loc_340065B0 x 2 ROM:340065B0 LDR R1, [R4,#0xC] ROM:340065B2 MOVW R2, #0x6733 ROM:340065B6 LDR R0, [R4,#0x10] ROM:340065B8 MOVT.W R2, #0x696D ROM:340065BC CMP R1, R2 ROM:340065BE ITT EQ ROM:340065C0 MOVEQ R6, #1 ROM:340065C2 TSTEQ.W R0, #0x200 ROM:340065C6 BEQ loc_340065CE ; x 1 ROM:340065C8 AND.W R0, R0, #4 ROM:340065CC LSRS R6, R0, #2 ROM:340065CE ROM:340065CE loc_340065CE x 1 ROM:340065CE BL sub_34006EB0 ROM:340065D2 MOV R1, R0 ROM:340065D4 MOVS R0, #0 ROM:340065D6 STRB.W R0, [SP,#0xC8+var_90] ROM:340065DA LDR R0, [SP,#0xC8+var_84] ROM:340065DC CMP R0, #0 ROM:340065DE BEQ.W loc_3400682A ROM:340065E2 CMP R1, #0 ROM:340065E4 LDR.W R8, [R4,#0x10] ROM:340065E8 IT NE ROM:340065EA ORRNE.W R6, R6, #4 ROM:340065EE ADD R3, SP, #0xC8+var_90 ROM:340065F0 MOV R1, R5 ROM:340065F2 MOV R2, R6 ROM:340065F4 BL sub_34006190 ; 改為 MOVS R0, #0 STR R0, [R3] 來到這裡 ROM:340060E4 sub_340060E4 ROM:340060E4 PUSH {R4-R7,LR} ROM:340060E6 ADD R7, SP, #0xC ROM:340060E8 PUSH.W {R8,R10} ROM:340060EC MOV R6, R2 ROM:340060EE MOV R8, R0 ROM:340060F0 MOV R10, R3 ROM:340060F2 MOV R5, R1 ROM:340060F4 MOVS R0, #0x16 ROM:340060F6 CMP R6, #0x14 ROM:340060F8 BCC loc_34006188 ROM:340060FA LDR R1, [R5] ROM:340060FC MOVW R2, #0x6733 ROM:34006100 MOVS R0, #0x16 ROM:34006102 MOVT.W R2, #0x496D ROM:34006106 CMP R1, R2 ROM:34006108 BNE loc_34006188 ROM:3400610A LDR R1, [R5,#8] ROM:3400610C SUB.W R2, R6, #0x14 ROM:34006110 MOVS R0, #0x16 ROM:34006112 CMP R1, R2 ROM:34006114 BHI loc_34006188 ; 改為 NOP ROM:34006116 LDR R2, [R5,#0xC] ROM:34006118 MOVS R0, #0x16 ROM:3400611A CMP R2, R1 ROM:3400611C BHI loc_34006188 0x6114 00 BF 修改完後不用加密 2017-8-24 20:11 0
djpvd 雪币： 320 活跃值： (104) 能力值： (RANK：180 ) 在线值：发帖 133 回帖 447 粉丝 2 关注私信	djpvd 4 3 楼 2. iBEC Patch 解密 iBEC 用法: xpwntool 輸入輸出 -iv <IV> -k <Key> IDA Pro 載入查看 ROM:00000044 LDR R1, =0x9FF00000 0x9FF00000 為載入基址 Edit > Segments > Rebase program...設定基址為 0x9FF00000 搜尋 TEXT "CMP R1, #0x41 ; 'A'" 代碼開頭 x 返回 ROM:9FF1A3D0 MOV R1, R5 ROM:9FF1A3D2 MOV R2, R6 ROM:9FF1A3D4 BL sub_9FF19CC0 ; 返回到此改為 MOVS R0, #0 STR R0, [R3] 0x1A3D4 00 20 18 60 然後往上看代碼 ROM:9FF1A35C BL sub_9FF19C14 ; 這裡進入 ROM:9FF1A360 MOV.W R10, #0xFFFFFFFF ROM:9FF1A364 CMP R0, #0 ROM:9FF1A366 BNE.W loc_9FF1A57E ROM:9FF1A36A LDR R0, [SP,#0xC8+var_84] ROM:9FF1A36C MOVS R5, #0 ROM:9FF1A36E CMP R6, #0 ROM:9FF1A370 LDR R0, [R0] ROM:9FF1A372 LDR R0, [R0,#0x10] ROM:9FF1A374 STR R0, [SP,#0xC8+var_9C] ROM:9FF1A376 BEQ loc_9FF1A390 ; x 2 ROM:9FF1A378 ROM:9FF1A378 loc_9FF1A378 ROM:9FF1A378 MOV.W R10, #0xFFFFFFFF ROM:9FF1A37C CMP R5, R6 ROM:9FF1A37E BCS.W loc_9FF1A57E ROM:9FF1A382 LDR.W R0, [R8,R5,LSL#2] ROM:9FF1A386 ADDS R5, #1 ROM:9FF1A388 LDR R1, [SP,#0xC8+var_9C] ROM:9FF1A38A CMP R0, R1 ROM:9FF1A38C BNE loc_9FF1A378 ROM:9FF1A38E LDR R5, [SP,#0xC8+var_9C] ROM:9FF1A390 ROM:9FF1A390 loc_9FF1A390 x 2 ROM:9FF1A390 LDR R1, [R4,#0xC] ; x 2 ROM:9FF1A392 MOVW R2, #0x6733 ROM:9FF1A396 LDR R0, [R4,#0x10] ROM:9FF1A398 MOVT.W R2, #0x696D ROM:9FF1A39C CMP R1, R2 ROM:9FF1A39E ITT EQ ROM:9FF1A3A0 MOVEQ R6, #1 ROM:9FF1A3A2 TSTEQ.W R0, #0x200 ROM:9FF1A3A6 BEQ loc_9FF1A3AE ; x 1 ROM:9FF1A3A8 AND.W R0, R0, #4 ROM:9FF1A3AC LSRS R6, R0, #2 ROM:9FF1A3AE ROM:9FF1A3AE loc_9FF1A3AE x 1 ROM:9FF1A3AE BL sub_9FF1DF64 ROM:9FF1A3B2 MOV R1, R0 ROM:9FF1A3B4 MOVS R0, #0 ROM:9FF1A3B6 STRB.W R0, [SP,#0xC8+var_90] ROM:9FF1A3BA LDR R0, [SP,#0xC8+var_84] ROM:9FF1A3BC CMP R0, #0 ROM:9FF1A3BE BEQ.W loc_9FF1A60A ROM:9FF1A3C2 CMP R1, #0 ROM:9FF1A3C4 LDR.W R8, [R4,#0x10] ROM:9FF1A3C8 IT NE ROM:9FF1A3CA ORRNE.W R6, R6, #4 ROM:9FF1A3CE ADD R3, SP, #0xC8+var_90 ROM:9FF1A3D0 MOV R1, R5 ROM:9FF1A3D2 MOV R2, R6 ROM:9FF1A3D4 BL sub_9FF19CC0 ; 改為 MOVS R0, #0 STR R0, [R3] 來到這裡 ROM:9FF19C14 sub_9FF19C14 ROM:9FF19C14 PUSH {R4-R7,LR} ROM:9FF19C16 ADD R7, SP, #0xC ROM:9FF19C18 PUSH.W {R8,R10} ROM:9FF19C1C MOV R6, R2 ROM:9FF19C1E MOV R8, R0 ROM:9FF19C20 MOV R10, R3 ROM:9FF19C22 MOV R5, R1 ROM:9FF19C24 MOVS R0, #0x16 ROM:9FF19C26 CMP R6, #0x14 ROM:9FF19C28 BCC loc_9FF19CB8 ROM:9FF19C2A LDR R1, [R5] ROM:9FF19C2C MOVW R2, #0x6733 ROM:9FF19C30 MOVS R0, #0x16 ROM:9FF19C32 MOVT.W R2, #0x496D ROM:9FF19C36 CMP R1, R2 ROM:9FF19C38 BNE loc_9FF19CB8 ROM:9FF19C3A LDR R1, [R5,#8] ROM:9FF19C3C SUB.W R2, R6, #0x14 ROM:9FF19C40 MOVS R0, #0x16 ROM:9FF19C42 CMP R1, R2 ROM:9FF19C44 BHI loc_9FF19CB8 ; 改為 NOP ROM:9FF19C46 LDR R2, [R5,#0xC] ROM:9FF19C48 MOVS R0, #0x16 ROM:9FF19C4A CMP R2, R1 ROM:9FF19C4C BHI loc_9FF19CB8 0x19C44 00 BF 找尋字串 debug-enabled x 選擇第一項目來到這裡 ROM:9FF1AED0 loc_9FF1AED0 ROM:9FF1AED0 LDR.W R0, =aDebugEnabled ; "debug-enabled" ROM:9FF1AED4 ADD R1, SP, #0xAC+var_3C ROM:9FF1AED6 STR R0, [SP,#0xAC+var_3C] ROM:9FF1AED8 ADD R2, SP, #0xAC+var_40 ROM:9FF1AEDA LDR R0, [SP,#0xAC+var_34] ROM:9FF1AEDC ADD R3, SP, #0xAC+var_38 ROM:9FF1AEDE BL sub_9FF17B8C ROM:9FF1AEE2 CMP R0, #1 ROM:9FF1AEE4 BNE loc_9FF1AEF6 ROM:9FF1AEE6 MOVS R0, #0x20 ; ' ' ROM:9FF1AEE8 BL sub_9FF20E40 ; 改為 MOVS R0, #1 ROM:9FF1AEEC CMP R0, #1 ROM:9FF1AEEE ITTT EQ ROM:9FF1AEF0 LDREQ R0, [SP,#0xAC+var_40] ROM:9FF1AEF2 MOVEQ R1, #1 ROM:9FF1AEF4 STREQ R1, [R0] 0x1AEE8 01 20 01 20 找尋字串 upgrade 改為 fsboot 找尋字串 false 改為 true 找尋字串 Reliance on this certificate by any party assumes acceptance 位於 offset 0x42680 0x42680+0x9FF00000=0x9FF42680 Byte = 80 26 F4 9F 在 0x42680 寫入 rd=disk0s1s3 cs_enforcement_disable=1 -v amfi=0xff 搜尋 rd=md0 nand-enable-reformat=1 -progress offset 位於 offset 0x3B810 0x3B810+0x9FF00000=0x9FF3B810 Byte = 10 B8 F3 9F 搜尋指標指向 0x9FF3B810 的位址找尋 Byte 10 B8 F3 9F 0x1C250 指標指向 0x9FF3B810 將 rd=md0 ... 指標替換為 rd=disk0s1s3 cs_enforcement_disable=1 -v amfi=0xff 的指標 offset 0x1C250 寫入 80 26 F4 9F (0x9FF42680) 修改完後添加img3檔頭用法: xpwntool 輸入輸出 -t <原始加密文件> 範例: xpwntool iBEC.dec iBEC -t iBEC.n94ap.RELEASE.dfu 2017-8-24 20:13 0
djpvd 雪币： 320 活跃值： (104) 能力值： (RANK：180 ) 在线值：发帖 133 回帖 447 粉丝 2 关注私信	djpvd 4 4 楼 3. keybagd Patch for iOS 6/7 安裝第二系統後使用scp下載 root@device_ip:/mnt3/usr/libexec/keybagd 到電腦修改，改完後替換源文件並重新簽名。搜尋 RegisterBackupBag __const:0000A27C DCD cfstr_Com_apple_keys ; "com.apple.keystore.device" __const:0000A280 DCD cfstr_Registerbackup ; "RegisterBackupBag" __const:0000A284 DCD sub_23B8+1 ; 這裡點進去 __text:000023B8 PUSH {R4-R7,LR} __text:000023BA ADD R7, SP, #0xC ; 改為 MOVS R0, #0 POP {R4-R7,PC} __text:000023BC STR.W R8, [SP,#0xC+var_10]! __text:000023C0 SUB SP, SP, #0x34 __text:000023C2 MOV R5, R1 __text:000023C4 MOV R1, #(cfstr_Backupkeybagke - 0x23D2) ; "BackupKeyBagKeys" __text:000023CC MOV R8, R0 __text:000023CE ADD R1, PC ; "BackupKeyBagKeys" __text:000023D0 MOV R0, R5 __text:000023D2 BL sub_1CA4 __text:000023D6 MOVW R1, #(:lower16:(cfstr_Passcode - 0x23E6)) ; "Passcode" __text:000023DA MOV R6, R0 __text:000023DC MOVT.W R1, #(:upper16:(cfstr_Passcode - 0x23E6)) ; "Passcode" __text:000023E0 MOV R0, R5 __text:000023E2 ADD R1, PC ; "Passcode" 0x13BA 00 20 F0 BD 搜尋 EXPORT _AppleKeyStoreKeyBagChangeSecret x 返回來到這裡 __text:0000622A BL _AppleKeyStoreKeyBagGetSystem __text:0000622E MOV R1, R0 __text:00006230 MOV.W R0, #0xFFFFFFFF __text:00006234 CBNZ R1, loc_6266 ; 改為 B __text:00006236 LDR R0, [SP,#0x1C+var_14] __text:00006238 MOV R1, R6 __text:0000623A MOV R2, R5 __text:0000623C BL _AppleKeyStoreKeyBagChangeSecret __text:00006240 MOV R1, R0 __text:00006242 MOV.W R0, #0xFFFFFFFF __text:00006246 CBNZ R1, loc_6266 __text:00006248 LDR R0, [SP,#0x1C+var_14] __text:0000624A MOV R2, #(aPrivateVar - 0x625A) ; "/private/var/" __text:00006252 MOV.W R8, #1 __text:00006256 ADD R2, PC ; "/private/var/" __text:00006258 MOVS R1, #0 __text:0000625A MOV R3, R4 __text:0000625C STR.W R8, [SP,#0x1C+var_1C] __text:00006260 STR R1, [SP,#0x1C+var_18] __text:00006262 BL _KBSaveBagHandle 0x5234 17 E0 搜尋 EXPORT _KBUpdateSystemKeyBag __text:00006338 EXPORT _KBUpdateSystemKeyBag __text:00006338 PUSH {R4-R7,LR} __text:0000633A ADD R7, SP, #0xC __text:0000633C STR.W R8, [SP,#0xC+var_10]! __text:00006340 SUB SP, SP, #0xC __text:00006342 MOV R5, R0 __text:00006344 MOV R0, #(aPrivateVarKeyb - 0x6358) ; "/private/var//keybags" __text:0000634C MOV R1, #(aSystembag - 0x635A) ; "systembag" __text:00006354 ADD R0, PC ; "/private/var//keybags" __text:00006356 ADD R1, PC ; "systembag" __text:00006358 BL _KBLoadKeyBag __text:0000635C MOV R6, R0 __text:0000635E CMP R6, #0 __text:00006360 BEQ loc_63EC ; 改為 B __text:00006362 MOVW R1, #(:lower16:(cfstr_Opaquestuff - 0x6370)) ; "OpaqueStuff" __text:00006366 MOV R0, R6 __text:00006368 MOVT.W R1, #(:upper16:(cfstr_Opaquestuff - 0x6370)) ; "OpaqueStuff" 0x5360 ?? E0 搜尋字串 auto-boot __text:00002BCA ADD R0, PC ; "keybagd" __text:00002BCC BL sub_2A4C __text:00002BD0 MOV R0, #(aAutoBoot - 0x2BE4) ; "auto-boot" __text:00002BD8 MOV R1, #(aFalse - 0x2BE6) ; 將字串改為 true __text:00002BE0 ADD R0, PC ; "auto-boot" __text:00002BE2 ADD R1, PC ; "false" 搜尋字串 false 改為 true 0x00結尾 2017-8-24 20:17 0
djpvd 雪币： 320 活跃值： (104) 能力值： (RANK：180 ) 在线值：发帖 133 回帖 447 粉丝 2 关注私信	djpvd 4 5 楼三磁碟分割調整第二分割區大小 ================================ 調整 /private/var 分割區大小來釋放空間，來建立另外兩個新的分割區。 * 檢查空間使用 ssh 連接裝置 ssh root@device_ip # df -B1 Filesystem 1B-blocks Used Available Use% Mounted on /dev/disk0s1s1 2332835840 2224795648 84713472 97% / devfs 26624 26624 0 100% /dev /dev/disk0s1s2 13521633280 476921856 13044711424 4% /private/var /dev/disk1 240852992 69222400 171630592 29% /Developer / 為系統分割區(system) /private/var 為資料分割區(data) 1B-blocks 總空間 Used 已用空間 Available 可用空間上面看到資料分割區: 總空間為 13521633280 byte (約12.59GB) 已經使用 476921856 byte (約454.8MB) 剩餘空間 13044711424 byte (約12.14GB) 資料分割區至少預留400-500MB的可用空間，iOS是從真實的可用空間中減去200MB，所以至少必須留700MB以上的空間。例如：我們要分配8GB的空間給第二系統, 其餘的可用空間留給「disk0s1s2 資料分割區」計算新的大小 8102410241024 = 8589934592 byte 第二分區大小 - 第三分割區大小 = 第二分割區新的大小總空間(13521633280) - 8G(8589934592) = 資料分割區新的大小(4931698688) byte (約4.59GB) 用法: hfs_resize 掛載點新的大小(byte) 範例:調整 /private/var 容量為4.59G(4931698688 byte) hfs_resize /private/var 4931698688 然後執行df查看調整結果 # df -B1 Filesystem 1B-blocks Used Available Use% Mounted on /dev/disk0s1s1 2332835840 2224795648 84713472 97% / devfs 26624 26624 0 100% /dev /dev/disk0s1s2 4931698688 474763264 4456935424 10% /private/var /dev/disk1 240852992 69222400 171630592 29% /Developer 編輯分割區* 編輯磁碟 gptfdisk /dev/rdisk0s1 列出分割表 p Command (? for help): p Disk /dev/rdisk0s1: 3870731 sectors, 14.8 GiB Logical sector size: 4096 bytes Disk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079 Partition table holds up to 2 entries First usable sector is 6, last usable sector is 3870725 Partitions will be aligned on 2-sector boundaries Total free space is 0 sectors (0 bytes) Number Start (sector) End (sector) Size Code Name 1 6 569545 2.2 GiB AF00 System 2 569546 3870725 12.6 GiB AF00 Data 第一分割區開始區塊 6 結束區塊 569545 第二分割區開始區塊 569546 結束區塊 3870725 1個區塊等於 4096-byte (4KB)，區塊對齊也就是俗稱的4K對齊。第二分割區修正 hfs_resize 調整可能無法對齊區塊，所以必須使用gptfdisk重新對齊資料分割區的區塊。顯示分割區2的詳細信息 i 2 Command (? for help): i Partition number (1-2): 2 Partition GUID code: 48465300-0000-11AA-AA11-00306543ECAC (Apple HFS/HFS+) Partition unique GUID: 353A726C-E8E1-4A9C-BD2D-BF34F7810862 First sector: 569546 (at 2.2 GiB) Last sector: 3870725 (at 14.8 GiB) Partition size: 3301180 sectors (12.6 GiB) Attribute flags: 0003000000000000 Partition name: 'Data' 記住 Partition unique GUID : 353A726C-E8E1-4A9C-BD2D-BF34F7810862 後面恢復GUID會用到。刪除第二分割區 d 2 Command (? for help): d Partition number (1-2): 2 計算第二分割區區塊大小新的大小(byte) / 4096 = 區塊大小 4931698688 / 4096 = 1204028 開始區塊 + 區塊大小 = 結束區塊 569546 + 1204028 = 1773574 記住第二分割區結束區塊大小為 1773574 修正第二分割區區塊大小建立新的分割區 n ENTER 1773574 ENTER Command (? for help): n Using 2 First sector (569546-3870725, default = 569546) or {+-}size{KMGTP}: Last sector (569546-3870725, default = 3870725) or {+-}size{KMGTP}: 1773574 Current type is 'Apple HFS/HFS+' Hex code or GUID (L to show codes, Enter = AF00): Changed type of partition to 'Apple HFS/HFS+' 修改第二分割區標籤為 Data c 2 Data Command (? for help): c Partition number (1-2): 2 Enter name: Data 查看修改結果 p Command (? for help): p Disk /dev/rdisk0s1: 3870731 sectors, 14.8 GiB Logical sector size: 4096 bytes Disk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079 Partition table holds up to 2 entries First usable sector is 6, last usable sector is 3870725 Partitions will be aligned on 2-sector boundaries Total free space is 2097151 sectors (8.0 GiB) Number Start (sector) End (sector) Size Code Name 1 6 569545 2.2 GiB AF00 System 2 569546 1773574 4.6 GiB AF00 Data 修正第二分割區 Attribute flags 通常系統分割區 Attribute flags 為 0000000000000000 資料分割區 Attribute flags 為 0003000000000000 x a 2 48 49 ENTER Command (? for help): x Expert command (? for help): a Partition number (1-2): 2 Known attributes are: 0: system partition 1: hide from EFI 2: legacy BIOS bootable 60: read-only 62: hidden 63: do not automount Attribute value is 0000000000000000. Set fields are: No fields set Toggle which attribute field (0-63, 64 or <Enter> to exit): 48 Have enabled the 'Undefined bit #48' attribute. Attribute value is 0001000000000000. Set fields are: 48 (Undefined bit #48) Toggle which attribute field (0-63, 64 or <Enter> to exit): 49 Have enabled the 'Undefined bit #49' attribute. Attribute value is 0003000000000000. Set fields are: 48 (Undefined bit #48) 49 (Undefined bit #49) Toggle which attribute field (0-63, 64 or <Enter> to exit): 恢復先前的GUID 先前紀錄的 Partition unique GUID 為 353A726C-E8E1-4A9C-BD2D-BF34F7810862 c 2 353A726C-E8E1-4A9C-BD2D-BF34F7810862 Expert command (? for help): c Partition number (1-2): 2 Enter the partition's new unique GUID ('R' to randomize): 353A726C-E8E1-4A9C-BD2D-BF34F7810862 New GUID is 353A726C-E8E1-4A9C-BD2D-BF34F7810862 到此第二分割區搞定..... 建立第二系統分割區修改分割表允許擁有4個分割區 s 4 Expert command (? for help): s Current partition table size is 32. Enter new size (32 up, default 128): 4 Caution: The partition table size should officially be 16KB or larger, which works out to 128 entries. In practice, smaller tables seem to work with most OSes, but this practice is risky. I'm proceeding with the resize, but you may want to reconsider this action and undo it. Adjusting GPT size from 4 to 32 to fill the sector 返回主選單 m Expert command (? for help): m Command (? for help): 建立第三分割區(為第二系統的系統分割區) 設定前須先確定要安裝的目標系統容量大小,然後計算第三分割區區塊大小，設置第三分割區結束區塊。或者可以自行分配大一點的區塊給第三分割區例如分配2.2GB的空間給第三分割區 2.2GB = 2248MB 224810241024=2357198848 byte 2357198848 / 4096 = 575488 (區塊大小) 開始區塊 + 區塊大小 = 結束區塊 1773576 + 575488 = 2349064 n 3 ENTER 2349064 ENTER Command (? for help): n Partition number (3-32, default 3): 3 First sector (3-3870728, default = 1773576) or {+-}size{KMGTP}: Last sector (1773576-3870728, default = 3870728) or {+-}size{KMGTP}: 2349064 Current type is 'Apple HFS/HFS+' Hex code or GUID (L to show codes, Enter = AF00): Changed type of partition to 'Apple HFS/HFS+' 建立第四分割區(為第二系統的資料分割區) 設置第四分割區結束區塊為: Last sector (2349066-3870728, default = 3870728) 的 3870728 - 3 = 3870725 也就是第四分割區結束區塊後面必須預留3個區塊空間 n 4 ENTER 3870725 ENTER Command (? for help): n Partition number (4-32, default 4): 4 First sector (3-3870728, default = 2349066) or {+-}size{KMGTP}: Last sector (2349066-3870728, default = 3870728) or {+-}size{KMGTP}: 3870725 Current type is 'Apple HFS/HFS+' Hex code or GUID (L to show codes, Enter = AF00): Changed type of partition to 'Apple HFS/HFS+' 分割區標籤與第四分割區 Attribute flags，可以不用改修改第三分割區標籤為 iOSFS c 3 iOSFS Command (? for help): c Partition number (1-3): 3 Enter name: iOSFS 修改第四分割區標籤為 iOSData c 4 iOSData Command (? for help): c Partition number (1-4): 4 Enter name: iOSData 設置第四分割區 Attribute flags x a 4 48 49 ENTER Command (? for help): x Expert command (? for help): a Partition number (1-4): 4 Known attributes are: 0: system partition 1: hide from EFI 2: legacy BIOS bootable 60: read-only 62: hidden 63: do not automount Attribute value is 0000000000000000. Set fields are: No fields set Toggle which attribute field (0-63, 64 or <Enter> to exit): 48 Have enabled the 'Undefined bit #48' attribute. Attribute value is 0001000000000000. Set fields are: 48 (Undefined bit #48) Toggle which attribute field (0-63, 64 or <Enter> to exit): 49 Have enabled the 'Undefined bit #49' attribute. Attribute value is 0003000000000000. Set fields are: 48 (Undefined bit #48) 49 (Undefined bit #49) Toggle which attribute field (0-63, 64 or <Enter> to exit): 列出分割表 p Command (? for help): p Disk /dev/rdisk0s1: 3870731 sectors, 14.8 GiB Logical sector size: 4096 bytes Disk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079 Partition table holds up to 32 entries First usable sector is 3, last usable sector is 3870728 Partitions will be aligned on 2-sector boundaries Total free space is 8 sectors (32.0 KiB) Number Start (sector) End (sector) Size Code Name 1 6 569545 2.2 GiB AF00 System 2 569546 1773574 4.6 GiB AF00 Data 3 1773576 2349064 2.2 GiB AF00 Apple HFS/HFS+ 4 2349066 3870725 5.8 GiB AF00 Apple HFS/HFS+ 最後如果沒問題按 w 然後 Y 寫入如果有問題按 q 退出，從頭開始 Do you want to proceed? (Y/N): Y OK; writing new GUID partition table (GPT) to /dev/rdisk0s1. Warning: Devices opened with shared lock will not have their partition table automatically reloaded! Warning: The kernel may continue to use old or deleted partitions. You should reboot or remove the drive. The operation has completed successfully. 寫入之後按輸入幾次 sync # sync # sync # sync # sync 確認新的分割區是否出現 # ls /dev/disk* /dev/disk0 /dev/disk0s1s1 /dev/disk0s1s3 /dev/disk1 /dev/disk0s1 /dev/disk0s1s2 /dev/disk0s1s4 2017-8-24 20:26 0
djpvd 雪币： 320 活跃值： (104) 能力值： (RANK：180 ) 在线值：发帖 133 回帖 447 粉丝 2 关注私信	djpvd 4 6 楼四安裝與啟動 RootFS 解密範例 iPhone 4S 7.1.2 RootFS 解密 dmg extract 058-4365-009.dmg rootfs.dmg -k <key> dmg build decrypted.dmg rootfs.dmg rm decrypted.dmg 或 vfdecrypt -k <key> -i 058-4365-009.dmg -o rootfs.dmg 上傳解密的 RootFS 到手機 /private/var/root/ scp rootfs.dmg root@device_ip:/private/var/root/ 格式化分割區如果區塊大小是 4096 BSIZE="4096" OPT="-b" 如果區塊大小是 8192 BSIZE="8192" OPT="-J -b" format disk0s1s3 /sbin/newfs_hfs -s $OPT $BSIZE -n a=$BSIZE,c=$BSIZE,e=$BSIZE /dev/disk0s1s3 format disk0s1s4 * 如果區塊大小是 4096 (iOS 9以前的版本) /sbin/newfs_hfs -s $OPT $BSIZE -n a=$BSIZE,c=$BSIZE,e=$BSIZE /dev/disk0s1s4 * 如果區塊大小是 8192 (iOS 9以後的版本要加 -P 未實驗) /sbin/newfs_hfs -s $OPT -P $BSIZE -n a=$BSIZE,c=$BSIZE,e=$BSIZE /dev/disk0s1s4 回復rootfs到disk0s1s3 asr restore --source /private/var/root/rootfs.dmg --target /dev/disk0s1s3 --erase 完成後執行 fsck_hfs -f /dev/disk0s1s3 清除暫存 rm /private/var/root/rootfs.dmg 建立掛載點目錄 mkdir -p /mnt3 mkdir -p /mnt4 掛載第三分割區 mount_hfs /dev/disk0s1s3 /mnt3 掛載第四分割區 mount_hfs /dev/disk0s1s4 /mnt4 移動 /private/var/ 內容到第四分割區 mv -v /mnt3/private/var/* /mnt4/ rm -rf /mnt4/log/asl/SweepStore rm -rf /mnt4/mobile/Library/PreinstalledAssets/* 修改起動分割區 sed -i 's/disk0s1/disk0s1s3/g' /mnt3/private/etc/fstab sed -i 's/disk0s2/disk0s1s4/g' /mnt3/private/etc/fstab 複製基頻文件 mkdir -p /mnt3/usr/local/standalone/firmware/Baseband/Trek cp -r /usr/local/standalone/firmware/Baseband/Trek/* /mnt3/usr/local/standalone/firmware/Baseband/Trek/ cd /usr/local/standalone/firmware/Baseband/Trek zip -r0 /mnt3/usr/local/standalone/firmware/Baseband/Trek/Trek-personalized.zip * 複製keybags mkdir /mnt4/keybags chown -R 0:0 /mnt4/keybags chmod -R 700 /mnt4/keybags rm /mnt4/keybags/systembag.kb cp -r /private/var/keybags/* /mnt4/keybags/ keybag 修復 # keybagd 補釘詳見 keybagd Patch rm /mnt3/usr/libexec/keybagd 修改好之後上傳替換 scp keybagd root@device_ip:/mnt3/usr/libexec/ # keybagd 重新簽名 * iOS 7 cat << EOF > /tmp/e.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.keystore.device</key> <true/> <key>com.apple.keystore.stash.access</key> <true/> </dict> </plist> EOF * iOS 6 cat << EOF > /tmp/e.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.keystore.device</key> <true/> </dict> </plist> EOF ldid -S/tmp/e.xml /mnt3/usr/libexec/keybagd 安裝 fixkeybag 下載原始碼自行編譯 https://github.com/NyanSatan/fixkeybag 編譯並複製到 /mnt3/sbin/ 或從 dualbootstuff 複製 cp -a /usr/share/dualbootstuff/fixkeybag /mnt3/usr/libexec/ 開機自動載入 fixkeybag echo "bsexec .. /usr/libexec/fixkeybag" >> /mnt3/private/etc/launchd.conf 或 cat << EOF > /mnt3/System/Library/LaunchDaemons/acom.dualboot.fixkeybag.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>acom.dualboot.fixkeybag</string> <key>POSIXSpawnType</key> <string>Interactive</string> <key>ProgramArguments</key> <array> <string>/usr/libexec/fixkeybag</string> </array> <key>RunAtLoad</key> <true/> <key>LaunchOnlyOnce</key> <true/> <key>UserName</key> <string>root</string> </dict> </plist> EOF 重新簽名 cat << EOF > /tmp/ent.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.keystore.device</key> <true/> <key>get-task-allow</key> <true/> <key>run-unsigned-code</key> <true/> <key>task_for_pid-allow</key> <true/> </dict> </plist> EOF ldid -S/tmp/ent.xml /mnt3/usr/libexec/fixkeybag 添加 bootchain 文件提取 kernelcache.release.n94 解密。 xpwntool kernelcache.release.n94 kernelcache -iv <IV> -k <KEY> -decrypt 提取 ramdisk.dmg 解密。 xpwntool ramdisk.dmg ramdisk -iv <IV> -k <Key> -decrypt 提取 DeviceTree.n94ap.img3 解密。 xpwntool DeviceTree.n94ap.img3 devicetree -iv <IV> -k <Key> -decrypt 提取 applelogo@2x~iphone.s5l8940x.img3 解密 xpwntool applelogo@2x~iphone.s5l8940x.img3 applelogo -iv <IV> -k <Key> -decrypt 將 applelogo、ramdisk、kernelcache、devicetree 上傳第二系統根目錄 root@device_ip:/mnt3/ 註: applelogo 非必要將已修改好的 iBSS、iBEC 上傳到 root@device_ip:/ 修復權限 chown -R 0:0 /mnt3/kernelcache chown -R 0:0 /mnt3/ramdisk chown -R 0:0 /mnt3/devicetree 卸載分割區 umount /mnt3 umount /mnt4 啟動系統要啟動第二系統，請拔下傳輸線，勿處於充電狀態。執行multi_kloader命令之後會進入睡眠模式，按一下Home鍵，開始引導第二系統。啟動命令 iPhone 4S 4smulti_kloader /iBSS /iBEC 其他 multi_kloader /iBSS /iBEC 2017-8-24 20:34 0
schroep 雪币： 101 活跃值： (78) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 42 粉丝 2 关注私信	schroep 7 楼 6666 2017-9-18 12:57 0
小调调雪币： 3229 活跃值： (3281) 能力值： ( LV4，RANK：40 ) 在线值：发帖 26 回帖 380 粉丝 19 关注私信	小调调 8 楼双击6666 2017-9-18 15:55 0
xia0 雪币： 1597 活跃值： (714) 能力值： ( LV5，RANK：60 ) 在线值：发帖 3 回帖 31 粉丝 15 关注私信	xia0 1 9 楼请问下解密iBSS放入IDA后需要怎么转换成code呢？ 2017-9-30 00:11 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

djpvd

雪币： 320

活跃值： (104)

能力值： (RANK：180 )

在线值：

发帖

133

回帖

447

粉丝

2

关注

私信

djpvd 4: 2 楼

二 Patching bootchain

1. iBSS Patch

解密 iBSS

xpwntool 輸入 輸出 -iv <IV> -k <Key>

IDA Pro 載入

查看 ROM:00000044 LDR R1, =0x34000000

0x34000000 為載入基址

Edit > Segments > Rebase program...設定基址為 0x34000000

搜尋字串 iBSS ready, asking for DFU...

來到這裡

ROM:340008F2                 LDR             R0, =aIbssReadyAskin ; "iBSS ready, asking for DFU...\n"
ROM:340008F4                 BL              sub_3400C850
ROM:340008F8                 BL              sub_34007A18
ROM:340008FC                 MOVW            R10, #0
ROM:34000900                 ADD.W           R11, SP, #0x14
ROM:34000904                 MOV.W           R8, #1
ROM:34000908                 MOVT.W          R10, #0x8FE0 ; 改為 #0x7FD0
ROM:3400090C
ROM:3400090C loc_3400090C
ROM:3400090C                 MOVS            R0, #1
ROM:3400090E                 BL              sub_340098B4
ROM:34000912                 MOV.W           R0, #0x200000
ROM:34000916                 MOV.W           R1, #0x200000
ROM:3400091A                 STR             R0, [SP,#0x14]
ROM:3400091C                 MOV             R0, R10
ROM:3400091E                 STR.W           R10, [SP,#0x18]
ROM:34000922                 BL              sub_3400B12C ; 改為NOP
ROM:34000926                 MOV             R6, R0
ROM:34000928                 CMP             R6, #0
ROM:3400092A                 BLT             loc_3400090C ; 改為NOP

iPhone 4S 改為 #0xBFD0

0x908  ?B F? D0 ??

其他改為 #0x7FD0

0x908  ?7 F? D0 ??

iOS 8 則搜尋 HEX 00 00 E0 8F (0x8FE00000) 改為與 multi_kloader 批配的 iBEC Remap addresses 0x7FD00000

搜尋字串 Apple Mobile Device (DFU Mode)

x 選擇第一項目

來到這裡

ROM:3400A638 sub_3400A638
ROM:3400A638                 PUSH            {R4,R7,LR}
ROM:3400A63A                 LDR             R4, =0x34012D34
ROM:3400A63C                 MOVS            R0, #0
ROM:3400A63E                 ADD             R7, SP, #4
ROM:3400A640                 LDRB            R1, [R4]
ROM:3400A642                 CMP             R1, #0
ROM:3400A644                 IT NE
ROM:3400A646                 POPNE           {R4,R7,PC}
ROM:3400A648                 LDR             R0, =aAppleMobileDev ; "Apple Mobile Device (DFU Mode)"
ROM:3400A64A                 BL              sub_3400A6B8

sub_3400A638 x 返回
ROM:3400B12C sub_3400B12C
ROM:3400B12C                 PUSH            {R4-R7,LR}
ROM:3400B12E                 LDR             R5, =0x34012EF0
ROM:3400B130                 ADD             R7, SP, #0xC
ROM:3400B132                 STRD.W          R0, R1, [R5]
ROM:3400B136                 BL              sub_3400A638 ; 返回到此

sub_3400B12C x 返回
ROM:340008F2                 LDR             R0, =aIbssReadyAskin ; "iBSS ready, asking for DFU...\n"
ROM:340008F4                 BL              sub_3400C850
ROM:340008F8                 BL              sub_34007A18
ROM:340008FC                 MOVW            R10, #0
ROM:34000900                 ADD.W           R11, SP, #0x14
ROM:34000904                 MOV.W           R8, #1
ROM:34000908                 MOVT.W          R10, #0x8FE0 ; 改為 #0xBFD0
ROM:3400090C
ROM:3400090C loc_3400090C
ROM:3400090C                 MOVS            R0, #1
ROM:3400090E                 BL              sub_340098B4
ROM:34000912                 MOV.W           R0, #0x200000
ROM:34000916                 MOV.W           R1, #0x200000
ROM:3400091A                 STR             R0, [SP,#0x14]
ROM:3400091C                 MOV             R0, R10
ROM:3400091E                 STR.W           R10, [SP,#0x18]
ROM:34000922                 BL              sub_3400B12C ; 返回到此 改為NOP
ROM:34000926                 MOV             R6, R0
ROM:34000928                 CMP             R6, #0
ROM:3400092A                 BLT             loc_3400090C ; BLT loop 改為NOP

0x922  00 BF 00 BF
0x92A  00 BF

搜尋 TEXT "CMP R1, #0x41 ; 'A'"

代碼開頭 x 返回

ROM:340065E8                 IT NE
ROM:340065EA                 ORRNE.W         R6, R6, #4
ROM:340065EE                 ADD             R3, SP, #0xC8+var_90
ROM:340065F0                 MOV             R1, R5
ROM:340065F2                 MOV             R2, R6
ROM:340065F4                 BL              sub_34006190 ; 來到這裡 改為 MOVS R0, #0   STR R0, [R3]
ROM:340065F8                 MOVS            R1, #0
ROM:340065FA                 CMP             R0, #0

0x65F4  00 20 18 60

然後往上看

ROM:3400657C                 BL              sub_340060E4 ; 這裡進入
ROM:34006580                 MOV.W           R10, #0xFFFFFFFF
ROM:34006584                 CMP             R0, #0
ROM:34006586                 BNE.W           loc_3400679E
ROM:3400658A                 LDR             R0, [SP,#0xC8+var_84]
ROM:3400658C                 MOVS            R5, #0
ROM:3400658E                 CMP             R6, #0
ROM:34006590                 LDR             R0, [R0]
ROM:34006592                 LDR             R0, [R0,#0x10]
ROM:34006594                 STR             R0, [SP,#0xC8+var_9C]
ROM:34006596                 BEQ             loc_340065B0 x 2
ROM:34006598
ROM:34006598 loc_34006598
ROM:34006598                 MOV.W           R10, #0xFFFFFFFF
ROM:3400659C                 CMP             R5, R6
ROM:3400659E                 BCS.W           loc_3400679E
ROM:340065A2                 LDR.W           R0, [R8,R5,LSL#2]
ROM:340065A6                 ADDS            R5, #1
ROM:340065A8                 LDR             R1, [SP,#0xC8+var_9C]
ROM:340065AA                 CMP             R0, R1
ROM:340065AC                 BNE             loc_34006598
ROM:340065AE                 LDR             R5, [SP,#0xC8+var_9C]
ROM:340065B0
ROM:340065B0 loc_340065B0 x 2
ROM:340065B0                 LDR             R1, [R4,#0xC]
ROM:340065B2                 MOVW            R2, #0x6733
ROM:340065B6                 LDR             R0, [R4,#0x10]
ROM:340065B8                 MOVT.W          R2, #0x696D
ROM:340065BC                 CMP             R1, R2
ROM:340065BE                 ITT EQ
ROM:340065C0                 MOVEQ           R6, #1
ROM:340065C2                 TSTEQ.W         R0, #0x200
ROM:340065C6                 BEQ             loc_340065CE ; x 1
ROM:340065C8                 AND.W           R0, R0, #4
ROM:340065CC                 LSRS            R6, R0, #2
ROM:340065CE
ROM:340065CE loc_340065CE x 1
ROM:340065CE                 BL              sub_34006EB0
ROM:340065D2                 MOV             R1, R0
ROM:340065D4                 MOVS            R0, #0
ROM:340065D6                 STRB.W          R0, [SP,#0xC8+var_90]
ROM:340065DA                 LDR             R0, [SP,#0xC8+var_84]
ROM:340065DC                 CMP             R0, #0
ROM:340065DE                 BEQ.W           loc_3400682A
ROM:340065E2                 CMP             R1, #0
ROM:340065E4                 LDR.W           R8, [R4,#0x10]
ROM:340065E8                 IT NE
ROM:340065EA                 ORRNE.W         R6, R6, #4
ROM:340065EE                 ADD             R3, SP, #0xC8+var_90
ROM:340065F0                 MOV             R1, R5
ROM:340065F2                 MOV             R2, R6
ROM:340065F4                 BL              sub_34006190 ; 改為 MOVS R0, #0   STR R0, [R3]

來到這裡

ROM:340060E4 sub_340060E4
ROM:340060E4                 PUSH            {R4-R7,LR}
ROM:340060E6                 ADD             R7, SP, #0xC
ROM:340060E8                 PUSH.W          {R8,R10}
ROM:340060EC                 MOV             R6, R2
ROM:340060EE                 MOV             R8, R0
ROM:340060F0                 MOV             R10, R3
ROM:340060F2                 MOV             R5, R1
ROM:340060F4                 MOVS            R0, #0x16
ROM:340060F6                 CMP             R6, #0x14
ROM:340060F8                 BCC             loc_34006188
ROM:340060FA                 LDR             R1, [R5]
ROM:340060FC                 MOVW            R2, #0x6733
ROM:34006100                 MOVS            R0, #0x16
ROM:34006102                 MOVT.W          R2, #0x496D
ROM:34006106                 CMP             R1, R2
ROM:34006108                 BNE             loc_34006188
ROM:3400610A                 LDR             R1, [R5,#8]
ROM:3400610C                 SUB.W           R2, R6, #0x14
ROM:34006110                 MOVS            R0, #0x16
ROM:34006112                 CMP             R1, R2
ROM:34006114                 BHI             loc_34006188 ; 改為 NOP
ROM:34006116                 LDR             R2, [R5,#0xC]
ROM:34006118                 MOVS            R0, #0x16
ROM:3400611A                 CMP             R2, R1
ROM:3400611C                 BHI             loc_34006188

0x6114  00 BF

修改完後不用加密

2017-8-24 20:11

0

djpvd

雪币： 320

活跃值： (104)

能力值： (RANK：180 )

在线值：

发帖

133

回帖

447

粉丝

2

关注

私信

djpvd 4: 3 楼

2. iBEC Patch

解密 iBEC

用法: xpwntool 輸入 輸出 -iv <IV> -k <Key>

IDA Pro 載入

查看 ROM:00000044 LDR R1, =0x9FF00000

0x9FF00000 為載入基址

Edit > Segments > Rebase program...設定基址為 0x9FF00000

搜尋 TEXT "CMP R1, #0x41 ; 'A'"

代碼開頭 x 返回

ROM:9FF1A3D0                 MOV             R1, R5
ROM:9FF1A3D2                 MOV             R2, R6
ROM:9FF1A3D4                 BL              sub_9FF19CC0 ; 返回到此 改為 MOVS R0, #0   STR R0, [R3]
0x1A3D4 00 20 18 60

然後往上看代碼

ROM:9FF1A35C                 BL              sub_9FF19C14 ; 這裡進入
ROM:9FF1A360                 MOV.W           R10, #0xFFFFFFFF
ROM:9FF1A364                 CMP             R0, #0
ROM:9FF1A366                 BNE.W           loc_9FF1A57E
ROM:9FF1A36A                 LDR             R0, [SP,#0xC8+var_84]
ROM:9FF1A36C                 MOVS            R5, #0
ROM:9FF1A36E                 CMP             R6, #0
ROM:9FF1A370                 LDR             R0, [R0]
ROM:9FF1A372                 LDR             R0, [R0,#0x10]
ROM:9FF1A374                 STR             R0, [SP,#0xC8+var_9C]
ROM:9FF1A376                 BEQ             loc_9FF1A390 ; x 2
ROM:9FF1A378
ROM:9FF1A378 loc_9FF1A378
ROM:9FF1A378                 MOV.W           R10, #0xFFFFFFFF
ROM:9FF1A37C                 CMP             R5, R6
ROM:9FF1A37E                 BCS.W           loc_9FF1A57E
ROM:9FF1A382                 LDR.W           R0, [R8,R5,LSL#2]
ROM:9FF1A386                 ADDS            R5, #1
ROM:9FF1A388                 LDR             R1, [SP,#0xC8+var_9C]
ROM:9FF1A38A                 CMP             R0, R1
ROM:9FF1A38C                 BNE             loc_9FF1A378
ROM:9FF1A38E                 LDR             R5, [SP,#0xC8+var_9C]
ROM:9FF1A390
ROM:9FF1A390 loc_9FF1A390 x 2
ROM:9FF1A390                 LDR             R1, [R4,#0xC] ; x 2
ROM:9FF1A392                 MOVW            R2, #0x6733
ROM:9FF1A396                 LDR             R0, [R4,#0x10]
ROM:9FF1A398                 MOVT.W          R2, #0x696D
ROM:9FF1A39C                 CMP             R1, R2
ROM:9FF1A39E                 ITT EQ
ROM:9FF1A3A0                 MOVEQ           R6, #1
ROM:9FF1A3A2                 TSTEQ.W         R0, #0x200
ROM:9FF1A3A6                 BEQ             loc_9FF1A3AE ; x 1
ROM:9FF1A3A8                 AND.W           R0, R0, #4
ROM:9FF1A3AC                 LSRS            R6, R0, #2
ROM:9FF1A3AE
ROM:9FF1A3AE loc_9FF1A3AE  x 1
ROM:9FF1A3AE                 BL              sub_9FF1DF64
ROM:9FF1A3B2                 MOV             R1, R0
ROM:9FF1A3B4                 MOVS            R0, #0
ROM:9FF1A3B6                 STRB.W          R0, [SP,#0xC8+var_90]
ROM:9FF1A3BA                 LDR             R0, [SP,#0xC8+var_84]
ROM:9FF1A3BC                 CMP             R0, #0
ROM:9FF1A3BE                 BEQ.W           loc_9FF1A60A
ROM:9FF1A3C2                 CMP             R1, #0
ROM:9FF1A3C4                 LDR.W           R8, [R4,#0x10]
ROM:9FF1A3C8                 IT NE
ROM:9FF1A3CA                 ORRNE.W         R6, R6, #4
ROM:9FF1A3CE                 ADD             R3, SP, #0xC8+var_90
ROM:9FF1A3D0                 MOV             R1, R5
ROM:9FF1A3D2                 MOV             R2, R6
ROM:9FF1A3D4                 BL              sub_9FF19CC0 ; 改為 MOVS R0, #0   STR R0, [R3]

來到這裡

ROM:9FF19C14 sub_9FF19C14
ROM:9FF19C14                 PUSH            {R4-R7,LR}
ROM:9FF19C16                 ADD             R7, SP, #0xC
ROM:9FF19C18                 PUSH.W          {R8,R10}
ROM:9FF19C1C                 MOV             R6, R2
ROM:9FF19C1E                 MOV             R8, R0
ROM:9FF19C20                 MOV             R10, R3
ROM:9FF19C22                 MOV             R5, R1
ROM:9FF19C24                 MOVS            R0, #0x16
ROM:9FF19C26                 CMP             R6, #0x14
ROM:9FF19C28                 BCC             loc_9FF19CB8
ROM:9FF19C2A                 LDR             R1, [R5]
ROM:9FF19C2C                 MOVW            R2, #0x6733
ROM:9FF19C30                 MOVS            R0, #0x16
ROM:9FF19C32                 MOVT.W          R2, #0x496D
ROM:9FF19C36                 CMP             R1, R2
ROM:9FF19C38                 BNE             loc_9FF19CB8
ROM:9FF19C3A                 LDR             R1, [R5,#8]
ROM:9FF19C3C                 SUB.W           R2, R6, #0x14
ROM:9FF19C40                 MOVS            R0, #0x16
ROM:9FF19C42                 CMP             R1, R2
ROM:9FF19C44                 BHI             loc_9FF19CB8 ; 改為 NOP
ROM:9FF19C46                 LDR             R2, [R5,#0xC]
ROM:9FF19C48                 MOVS            R0, #0x16
ROM:9FF19C4A                 CMP             R2, R1
ROM:9FF19C4C                 BHI             loc_9FF19CB8

0x19C44 00 BF

找尋字串 debug-enabled

x 選擇第一項目

來到這裡

ROM:9FF1AED0 loc_9FF1AED0
ROM:9FF1AED0                 LDR.W           R0, =aDebugEnabled ; "debug-enabled"
ROM:9FF1AED4                 ADD             R1, SP, #0xAC+var_3C
ROM:9FF1AED6                 STR             R0, [SP,#0xAC+var_3C]
ROM:9FF1AED8                 ADD             R2, SP, #0xAC+var_40
ROM:9FF1AEDA                 LDR             R0, [SP,#0xAC+var_34]
ROM:9FF1AEDC                 ADD             R3, SP, #0xAC+var_38
ROM:9FF1AEDE                 BL              sub_9FF17B8C
ROM:9FF1AEE2                 CMP             R0, #1
ROM:9FF1AEE4                 BNE             loc_9FF1AEF6
ROM:9FF1AEE6                 MOVS            R0, #0x20 ; ' '
ROM:9FF1AEE8                 BL              sub_9FF20E40 ; 改為 MOVS R0, #1
ROM:9FF1AEEC                 CMP             R0, #1
ROM:9FF1AEEE                 ITTT EQ
ROM:9FF1AEF0                 LDREQ           R0, [SP,#0xAC+var_40]
ROM:9FF1AEF2                 MOVEQ           R1, #1
ROM:9FF1AEF4                 STREQ           R1, [R0]

0x1AEE8 01 20 01 20

找尋字串 upgrade 改為 fsboot

找尋字串 false 改為 true

找尋字串 Reliance on this certificate by any party assumes acceptance 位於 offset 0x42680

0x42680+0x9FF00000=0x9FF42680 Byte = 80 26 F4 9F

在 0x42680 寫入 rd=disk0s1s3 cs_enforcement_disable=1 -v amfi=0xff

搜尋 rd=md0 nand-enable-reformat=1 -progress offset 位於 offset 0x3B810

0x3B810+0x9FF00000=0x9FF3B810 Byte = 10 B8 F3 9F

搜尋指標指向 0x9FF3B810 的位址

找尋 Byte 10 B8 F3 9F

0x1C250 指標指向 0x9FF3B810

將 rd=md0 ... 指標替換為 rd=disk0s1s3 cs_enforcement_disable=1 -v amfi=0xff 的指標

offset 0x1C250 寫入 80 26 F4 9F (0x9FF42680)

修改完後添加img3檔頭

用法: xpwntool 輸入輸出 -t <原始加密文件>

範例:

xpwntool iBEC.dec iBEC -t iBEC.n94ap.RELEASE.dfu

2017-8-24 20:13

0

djpvd

雪币： 320

活跃值： (104)

能力值： (RANK：180 )

在线值：

发帖

133

回帖

447

粉丝

2

关注

私信

djpvd 4: 4 楼

3. keybagd Patch

for iOS 6/7

安裝第二系統後

使用scp下載 root@device_ip:/mnt3/usr/libexec/keybagd 到電腦修改，改完後替換源文件並重新簽名。

搜尋 RegisterBackupBag

__const:0000A27C                 DCD cfstr_Com_apple_keys ; "com.apple.keystore.device"
__const:0000A280                 DCD cfstr_Registerbackup ; "RegisterBackupBag"
__const:0000A284                 DCD sub_23B8+1           ; 這裡點進去

__text:000023B8                 PUSH            {R4-R7,LR}
__text:000023BA                 ADD             R7, SP, #0xC           ; 改為 MOVS R0, #0   POP {R4-R7,PC}
__text:000023BC                 STR.W           R8, [SP,#0xC+var_10]!
__text:000023C0                 SUB             SP, SP, #0x34
__text:000023C2                 MOV             R5, R1
__text:000023C4                 MOV             R1, #(cfstr_Backupkeybagke - 0x23D2) ; "BackupKeyBagKeys"
__text:000023CC                 MOV             R8, R0
__text:000023CE                 ADD             R1, PC  ; "BackupKeyBagKeys"
__text:000023D0                 MOV             R0, R5
__text:000023D2                 BL              sub_1CA4
__text:000023D6                 MOVW            R1, #(:lower16:(cfstr_Passcode - 0x23E6)) ; "Passcode"
__text:000023DA                 MOV             R6, R0
__text:000023DC                 MOVT.W          R1, #(:upper16:(cfstr_Passcode - 0x23E6)) ; "Passcode"
__text:000023E0                 MOV             R0, R5
__text:000023E2                 ADD             R1, PC  ; "Passcode"

0x13BA   00 20 F0 BD

搜尋 EXPORT _AppleKeyStoreKeyBagChangeSecret

x 返回

來到這裡

__text:0000622A                 BL              _AppleKeyStoreKeyBagGetSystem
__text:0000622E                 MOV             R1, R0
__text:00006230                 MOV.W           R0, #0xFFFFFFFF
__text:00006234                 CBNZ            R1, loc_6266 ; 改為 B
__text:00006236                 LDR             R0, [SP,#0x1C+var_14]
__text:00006238                 MOV             R1, R6
__text:0000623A                 MOV             R2, R5
__text:0000623C                 BL              _AppleKeyStoreKeyBagChangeSecret
__text:00006240                 MOV             R1, R0
__text:00006242                 MOV.W           R0, #0xFFFFFFFF
__text:00006246                 CBNZ            R1, loc_6266
__text:00006248                 LDR             R0, [SP,#0x1C+var_14]
__text:0000624A                 MOV             R2, #(aPrivateVar - 0x625A) ; "/private/var/"
__text:00006252                 MOV.W           R8, #1
__text:00006256                 ADD             R2, PC  ; "/private/var/"
__text:00006258                 MOVS            R1, #0
__text:0000625A                 MOV             R3, R4
__text:0000625C                 STR.W           R8, [SP,#0x1C+var_1C]
__text:00006260                 STR             R1, [SP,#0x1C+var_18]
__text:00006262                 BL              _KBSaveBagHandle

0x5234  17 E0

搜尋 EXPORT _KBUpdateSystemKeyBag

__text:00006338                 EXPORT _KBUpdateSystemKeyBag
__text:00006338                 PUSH            {R4-R7,LR}
__text:0000633A                 ADD             R7, SP, #0xC
__text:0000633C                 STR.W           R8, [SP,#0xC+var_10]!
__text:00006340                 SUB             SP, SP, #0xC
__text:00006342                 MOV             R5, R0
__text:00006344                 MOV             R0, #(aPrivateVarKeyb - 0x6358) ; "/private/var//keybags"
__text:0000634C                 MOV             R1, #(aSystembag - 0x635A) ; "systembag"
__text:00006354                 ADD             R0, PC  ; "/private/var//keybags"
__text:00006356                 ADD             R1, PC  ; "systembag"
__text:00006358                 BL              _KBLoadKeyBag
__text:0000635C                 MOV             R6, R0
__text:0000635E                 CMP             R6, #0
__text:00006360                 BEQ             loc_63EC ; 改為 B
__text:00006362                 MOVW            R1, #(:lower16:(cfstr_Opaquestuff - 0x6370)) ; "OpaqueStuff"
__text:00006366                 MOV             R0, R6
__text:00006368                 MOVT.W          R1, #(:upper16:(cfstr_Opaquestuff - 0x6370)) ; "OpaqueStuff"

0x5360  ?? E0

搜尋字串 auto-boot

__text:00002BCA                 ADD             R0, PC  ; "keybagd"
__text:00002BCC                 BL              sub_2A4C
__text:00002BD0                 MOV             R0, #(aAutoBoot - 0x2BE4) ; "auto-boot"
__text:00002BD8                 MOV             R1, #(aFalse - 0x2BE6) ; 將字串改為 true
__text:00002BE0                 ADD             R0, PC  ; "auto-boot"
__text:00002BE2                 ADD             R1, PC  ; "false"

搜尋字串 false 改為 true 0x00結尾

2017-8-24 20:17

0

djpvd

雪币： 320

活跃值： (104)

能力值： (RANK：180 )

在线值：

发帖

133

回帖

447

粉丝

2

关注

私信

djpvd 4: 5 楼

三磁碟分割

調整第二分割區大小

================================

調整 /private/var 分割區大小來釋放空間，來建立另外兩個新的分割區。

* 檢查空間

使用 ssh 連接裝置

ssh root@device_ip

# df -B1
Filesystem       1B-blocks       Used   Available Use% Mounted on
/dev/disk0s1s1  2332835840 2224795648    84713472  97% /
devfs                26624      26624           0 100% /dev
/dev/disk0s1s2 13521633280  476921856 13044711424   4% /private/var
/dev/disk1       240852992   69222400   171630592  29% /Developer

/ 為系統分割區(system)

/private/var 為資料分割區(data)

1B-blocks 總空間

Used 已用空間

Available 可用空間

上面看到資料分割區:

總空間為 13521633280 byte (約12.59GB)

已經使用 476921856 byte (約454.8MB)

剩餘空間 13044711424 byte (約12.14GB)

資料分割區至少預留400-500MB的可用空間，iOS是從真實的可用空間中減去200MB，所以至少必須留700MB以上的空間。

例如：我們要分配8GB的空間給第二系統, 其餘的可用空間留給「disk0s1s2 資料分割區」

計算新的大小

8*1024*1024*1024 = 8589934592 byte

第二分區大小 - 第三分割區大小 = 第二分割區新的大小

總空間(13521633280) - 8G(8589934592) = 資料分割區新的大小(4931698688) byte (約4.59GB)

用法:

hfs_resize 掛載點新的大小(byte)

範例:調整 /private/var 容量為4.59G(4931698688 byte)

hfs_resize /private/var 4931698688

然後執行df查看調整結果

# df -B1
Filesystem      1B-blocks       Used  Available Use% Mounted on
/dev/disk0s1s1 2332835840 2224795648   84713472  97% /
devfs               26624      26624          0 100% /dev
/dev/disk0s1s2 4931698688  474763264 4456935424  10% /private/var
/dev/disk1      240852992   69222400  171630592  29% /Developer

編輯分割區

編輯磁碟

gptfdisk /dev/rdisk0s1

列出分割表

Command (? for help): p
Disk /dev/rdisk0s1: 3870731 sectors, 14.8 GiB
Logical sector size: 4096 bytes
Disk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079
Partition table holds up to 2 entries
First usable sector is 6, last usable sector is 3870725
Partitions will be aligned on 2-sector boundaries
Total free space is 0 sectors (0 bytes)
Number  Start (sector)    End (sector)  Size       Code  Name
   1               6          569545   2.2 GiB     AF00  System
   2          569546         3870725   12.6 GiB    AF00  Data

第一分割區開始區塊 6 結束區塊 569545

第二分割區開始區塊 569546 結束區塊 3870725

1個區塊等於 4096-byte (4KB)，區塊對齊也就是俗稱的4K對齊。

第二分割區修正

hfs_resize 調整可能無法對齊區塊，所以必須使用gptfdisk重新對齊資料分割區的區塊。

顯示分割區2的詳細信息

i 2

Command (? for help): i
Partition number (1-2): 2
Partition GUID code: 48465300-0000-11AA-AA11-00306543ECAC (Apple HFS/HFS+)
Partition unique GUID: 353A726C-E8E1-4A9C-BD2D-BF34F7810862
First sector: 569546 (at 2.2 GiB)
Last sector: 3870725 (at 14.8 GiB)
Partition size: 3301180 sectors (12.6 GiB)
Attribute flags: 0003000000000000
Partition name: 'Data'

記住 Partition unique GUID : 353A726C-E8E1-4A9C-BD2D-BF34F7810862 後面恢復GUID會用到。

刪除第二分割區

d 2

Command (? for help): d
Partition number (1-2): 2

計算第二分割區區塊大小

新的大小(byte) / 4096 = 區塊大小

4931698688 / 4096 = 1204028

開始區塊 + 區塊大小 = 結束區塊

569546 + 1204028 = 1773574

記住第二分割區結束區塊大小為 1773574

修正第二分割區區塊大小

建立新的分割區

n ENTER 1773574 ENTER

Command (? for help): n
Using 2
First sector (569546-3870725, default = 569546) or {+-}size{KMGTP}: 
Last sector (569546-3870725, default = 3870725) or {+-}size{KMGTP}: 1773574
Current type is 'Apple HFS/HFS+'
Hex code or GUID (L to show codes, Enter = AF00): 
Changed type of partition to 'Apple HFS/HFS+'

修改第二分割區標籤為 Data

c 2 Data

Command (? for help): c
Partition number (1-2): 2
Enter name: Data

查看修改結果

Command (? for help): p
Disk /dev/rdisk0s1: 3870731 sectors, 14.8 GiB
Logical sector size: 4096 bytes
Disk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079
Partition table holds up to 2 entries
First usable sector is 6, last usable sector is 3870725
Partitions will be aligned on 2-sector boundaries
Total free space is 2097151 sectors (8.0 GiB)
Number  Start (sector)    End (sector)  Size       Code  Name
   1               6          569545   2.2 GiB     AF00  System
   2          569546         1773574   4.6 GiB     AF00  Data

修正第二分割區 Attribute flags

通常系統分割區 Attribute flags 為 0000000000000000

資料分割區 Attribute flags 為 0003000000000000

x a 2 48 49 ENTER

Command (? for help): x
Expert command (? for help): a
Partition number (1-2): 2
Known attributes are:
0: system partition
1: hide from EFI
2: legacy BIOS bootable
60: read-only
62: hidden
63: do not automount
Attribute value is 0000000000000000. Set fields are:
  No fields set
Toggle which attribute field (0-63, 64 or <Enter> to exit): 48
Have enabled the 'Undefined bit #48' attribute.
Attribute value is 0001000000000000. Set fields are:
48 (Undefined bit #48)
Toggle which attribute field (0-63, 64 or <Enter> to exit): 49
Have enabled the 'Undefined bit #49' attribute.
Attribute value is 0003000000000000. Set fields are:
48 (Undefined bit #48)
49 (Undefined bit #49)
Toggle which attribute field (0-63, 64 or <Enter> to exit):

恢復先前的GUID

先前紀錄的 Partition unique GUID 為 353A726C-E8E1-4A9C-BD2D-BF34F7810862

c 2 353A726C-E8E1-4A9C-BD2D-BF34F7810862

Expert command (? for help): c
Partition number (1-2): 2
Enter the partition's new unique GUID ('R' to randomize): 353A726C-E8E1-4A9C-BD2D-BF34F7810862
New GUID is 353A726C-E8E1-4A9C-BD2D-BF34F7810862

到此第二分割區搞定.....

建立第二系統分割區

修改分割表允許擁有4個分割區

s 4

Expert command (? for help): s
Current partition table size is 32.
Enter new size (32 up, default 128): 4
Caution: The partition table size should officially be 16KB or larger,
which works out to 128 entries. In practice, smaller tables seem to
work with most OSes, but this practice is risky. I'm proceeding with
the resize, but you may want to reconsider this action and undo it.
Adjusting GPT size from 4 to 32 to fill the sector

返回主選單

Expert command (? for help): m
Command (? for help):

建立第三分割區(為第二系統的系統分割區)

設定前須先確定要安裝的目標系統容量大小,然後計算第三分割區區塊大小，設置第三分割區結束區塊。

或者可以自行分配大一點的區塊給第三分割區

例如分配2.2GB的空間給第三分割區

2.2GB = 2248MB

2248*1024*1024=2357198848 byte

2357198848 / 4096 = 575488 (區塊大小)

開始區塊 + 區塊大小 = 結束區塊

1773576 + 575488 = 2349064

n 3 ENTER 2349064 ENTER

Command (? for help): n
Partition number (3-32, default 3): 3
First sector (3-3870728, default = 1773576) or {+-}size{KMGTP}: 
Last sector (1773576-3870728, default = 3870728) or {+-}size{KMGTP}: 2349064
Current type is 'Apple HFS/HFS+'
Hex code or GUID (L to show codes, Enter = AF00): 
Changed type of partition to 'Apple HFS/HFS+'

建立第四分割區(為第二系統的資料分割區)

設置第四分割區結束區塊為:

Last sector (2349066-3870728, default = 3870728) 的 3870728 - 3 = 3870725

也就是第四分割區結束區塊後面必須預留3個區塊空間

n 4 ENTER 3870725 ENTER

Command (? for help): n
Partition number (4-32, default 4): 4
First sector (3-3870728, default = 2349066) or {+-}size{KMGTP}: 
Last sector (2349066-3870728, default = 3870728) or {+-}size{KMGTP}: 3870725
Current type is 'Apple HFS/HFS+'
Hex code or GUID (L to show codes, Enter = AF00): 
Changed type of partition to 'Apple HFS/HFS+'

分割區標籤與第四分割區 Attribute flags，可以不用改

修改第三分割區標籤為 iOSFS

c 3 iOSFS

Command (? for help): c
Partition number (1-3): 3
Enter name: iOSFS

修改第四分割區標籤為 iOSData

c 4 iOSData

Command (? for help): c
Partition number (1-4): 4
Enter name: iOSData

設置第四分割區 Attribute flags

x a 4 48 49 ENTER

Command (? for help): x
Expert command (? for help): a
Partition number (1-4): 4
Known attributes are:
0: system partition
1: hide from EFI
2: legacy BIOS bootable
60: read-only
62: hidden
63: do not automount
Attribute value is 0000000000000000. Set fields are:
  No fields set
Toggle which attribute field (0-63, 64 or <Enter> to exit): 48
Have enabled the 'Undefined bit #48' attribute.
Attribute value is 0001000000000000. Set fields are:
48 (Undefined bit #48)
Toggle which attribute field (0-63, 64 or <Enter> to exit): 49
Have enabled the 'Undefined bit #49' attribute.
Attribute value is 0003000000000000. Set fields are:
48 (Undefined bit #48)
49 (Undefined bit #49)
Toggle which attribute field (0-63, 64 or <Enter> to exit):

列出分割表

Command (? for help): p
Disk /dev/rdisk0s1: 3870731 sectors, 14.8 GiB
Logical sector size: 4096 bytes
Disk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079
Partition table holds up to 32 entries
First usable sector is 3, last usable sector is 3870728
Partitions will be aligned on 2-sector boundaries
Total free space is 8 sectors (32.0 KiB)
Number  Start (sector)    End (sector)  Size       Code  Name
   1               6          569545   2.2 GiB     AF00  System
   2          569546         1773574   4.6 GiB     AF00  Data
   3         1773576         2349064   2.2 GiB     AF00  Apple HFS/HFS+
   4         2349066         3870725   5.8 GiB     AF00  Apple HFS/HFS+

最後如果沒問題按 w 然後 Y 寫入

如果有問題按 q 退出，從頭開始

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/rdisk0s1.
Warning: Devices opened with shared lock will not have their
partition table automatically reloaded!
Warning: The kernel may continue to use old or deleted partitions.
You should reboot or remove the drive.
The operation has completed successfully.

寫入之後按輸入幾次 sync

# sync
# sync
# sync
# sync

確認新的分割區是否出現

# ls /dev/disk*
/dev/disk0    /dev/disk0s1s1  /dev/disk0s1s3  /dev/disk1
/dev/disk0s1  /dev/disk0s1s2  /dev/disk0s1s4

2017-8-24 20:26

0

djpvd

雪币： 320

活跃值： (104)

能力值： (RANK：180 )

在线值：

发帖

133

回帖

447

粉丝

2

关注

私信

djpvd 4: 6 楼

四安裝與啟動

RootFS 解密

範例 iPhone 4S 7.1.2 RootFS

解密

dmg extract 058-4365-009.dmg rootfs.dmg -k <key>
dmg build decrypted.dmg rootfs.dmg
rm decrypted.dmg

或

vfdecrypt -k <key> -i 058-4365-009.dmg -o rootfs.dmg

上傳解密的 RootFS 到手機 /private/var/root/

scp rootfs.dmg  root@device_ip:/private/var/root/

格式化分割區

如果區塊大小是 4096

BSIZE="4096"
OPT="-b"

如果區塊大小是 8192

BSIZE="8192"
OPT="-J -b"

format disk0s1s3

/sbin/newfs_hfs -s $OPT $BSIZE -n a=$BSIZE,c=$BSIZE,e=$BSIZE /dev/disk0s1s3

format disk0s1s4

* 如果區塊大小是 4096 (iOS 9以前的版本)

/sbin/newfs_hfs -s $OPT $BSIZE -n a=$BSIZE,c=$BSIZE,e=$BSIZE /dev/disk0s1s4

* 如果區塊大小是 8192 (iOS 9以後的版本要加 -P 未實驗)

/sbin/newfs_hfs -s $OPT -P $BSIZE -n a=$BSIZE,c=$BSIZE,e=$BSIZE /dev/disk0s1s4

回復rootfs到disk0s1s3

asr restore --source /private/var/root/rootfs.dmg --target /dev/disk0s1s3 --erase

完成後執行

fsck_hfs -f /dev/disk0s1s3

清除暫存

rm /private/var/root/rootfs.dmg

建立掛載點目錄

mkdir -p /mnt3
mkdir -p /mnt4

掛載第三分割區

mount_hfs /dev/disk0s1s3 /mnt3

掛載第四分割區

mount_hfs /dev/disk0s1s4 /mnt4

移動 /private/var/ 內容到第四分割區

mv -v /mnt3/private/var/* /mnt4/
rm -rf /mnt4/log/asl/SweepStore
rm -rf /mnt4/mobile/Library/PreinstalledAssets/*

修改起動分割區

sed -i 's/disk0s1/disk0s1s3/g' /mnt3/private/etc/fstab
sed -i 's/disk0s2/disk0s1s4/g' /mnt3/private/etc/fstab

複製基頻文件

mkdir -p /mnt3/usr/local/standalone/firmware/Baseband/Trek
cp -r /usr/local/standalone/firmware/Baseband/Trek/* /mnt3/usr/local/standalone/firmware/Baseband/Trek/
cd /usr/local/standalone/firmware/Baseband/Trek
zip -r0 /mnt3/usr/local/standalone/firmware/Baseband/Trek/Trek-personalized.zip *

複製keybags

mkdir /mnt4/keybags
chown -R 0:0 /mnt4/keybags
chmod -R 700 /mnt4/keybags
rm /mnt4/keybags/systembag.kb
cp -r /private/var/keybags/* /mnt4/keybags/

keybag 修復

# keybagd 補釘

詳見 keybagd Patch

rm /mnt3/usr/libexec/keybagd

修改好之後上傳替換

scp keybagd root@device_ip:/mnt3/usr/libexec/

# keybagd 重新簽名

* iOS 7

cat << EOF > /tmp/e.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.keystore.device</key>
    <true/>
    <key>com.apple.keystore.stash.access</key>
    <true/>
</dict>
</plist>
EOF

* iOS 6

cat << EOF > /tmp/e.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.keystore.device</key>
    <true/>
</dict>
</plist>
EOF

ldid -S/tmp/e.xml /mnt3/usr/libexec/keybagd

安裝 fixkeybag

下載原始碼自行編譯

https://github.com/NyanSatan/fixkeybag

編譯並複製到 /mnt3/sbin/

或從 dualbootstuff 複製

cp -a /usr/share/dualbootstuff/fixkeybag /mnt3/usr/libexec/

開機自動載入 fixkeybag

echo "bsexec .. /usr/libexec/fixkeybag" >> /mnt3/private/etc/launchd.conf

或

cat << EOF > /mnt3/System/Library/LaunchDaemons/acom.dualboot.fixkeybag.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>acom.dualboot.fixkeybag</string>
        <key>POSIXSpawnType</key>
        <string>Interactive</string>
        <key>ProgramArguments</key>
        <array>
                <string>/usr/libexec/fixkeybag</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
        <key>LaunchOnlyOnce</key>
        <true/>
        <key>UserName</key>
        <string>root</string>
</dict>
</plist>
EOF

重新簽名

cat << EOF > /tmp/ent.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.keystore.device</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>
EOF

ldid -S/tmp/ent.xml /mnt3/usr/libexec/fixkeybag

添加 bootchain 文件

提取 kernelcache.release.n94 解密。

xpwntool kernelcache.release.n94 kernelcache -iv <IV> -k <KEY> -decrypt

提取 ramdisk.dmg 解密。

xpwntool ramdisk.dmg ramdisk -iv <IV> -k <Key> -decrypt

提取 DeviceTree.n94ap.img3 解密。

xpwntool DeviceTree.n94ap.img3 devicetree -iv <IV> -k <Key> -decrypt

提取 applelogo@2x~iphone.s5l8940x.img3 解密

xpwntool applelogo@2x~iphone.s5l8940x.img3 applelogo -iv <IV> -k <Key> -decrypt

將 applelogo、ramdisk、kernelcache、devicetree 上傳第二系統根目錄 root@device_ip:/mnt3/

註: applelogo 非必要

將已修改好的 iBSS、iBEC 上傳到 root@device_ip:/

修復權限

chown -R 0:0 /mnt3/kernelcache
chown -R 0:0 /mnt3/ramdisk
chown -R 0:0 /mnt3/devicetree

卸載分割區

umount /mnt3
umount /mnt4

啟動系統

要啟動第二系統，請拔下傳輸線，勿處於充電狀態。

執行multi_kloader命令之後會進入睡眠模式，按一下Home鍵，開始引導第二系統。

啟動命令

iPhone 4S

4smulti_kloader /iBSS /iBEC

其他

multi_kloader /iBSS /iBEC

2017-8-24 20:34

0

schroep

雪币： 101

活跃值： (78)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

42

粉丝

2

关注

私信

schroep: 7 楼

6666

2017-9-18 12:57

0

小调调

雪币： 3229

活跃值： (3281)

能力值：

( LV4，RANK：40 )

在线值：

发帖

26

回帖

380

粉丝

19

关注

私信

小调调: 8 楼

双击6666

2017-9-18 15:55

0

xia0

雪币： 1597

活跃值： (714)

能力值：

( LV5，RANK：60 )

在线值：

发帖

3

回帖

31

粉丝

15

关注

私信

xia0 1: 9 楼

请问下解密iBSS放入IDA后需要怎么转换成code呢？

2017-9-30 00:11

0